I have a regular scenario where WIREGUARD should come in WAN2, despite WAN1 being the primary Route.
Case in point, an AX3 as peer (client for handshake) to a CCR2004 peer ( server for handshake )
Easily handled by basic mangling and table and route.
/ip mangle
add chain=input action=mark-connection connection-mark=no-mark in-interface=WAN2 \
new-connection-mark=incomingWAN2 passthrough=yes
add chain=output action=mark-route connection-mark=incomingWAN2 \
new-route-mark=useWAN2 passthrough=no
/routing-table add fib name=useWAN2
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=gw1-IP check-gatway=ping
add distance=2 dst-address=0.0.0.0/0 gateway=gw2-IP check-gatway=ping
add dst-address=0.0.0.0/0 gateway=gw2-IP routing-table=useWAN2
The problem is that although the tunnel seems to come up it is not acting properly and the proof is in the fact that one cannot access the router via winbox.
The rather poor work around, that seemed to work was adding this Dstnat rule, which by the way is totally non-intuitive.
/ip firewall nat
chain=dstnat dst-address-type=local in-interface=WAN2 protocol=udp dst-port=wg-port action=dst-nat to-addresses=ip.of.wan.1
On connections tracking, Prior to using this rule, one would see the initial attempt from my public IP to WAN2 but the response would come from WAN1............. very strange.
Both of these would be designated C connections...... ( meaning no responses?)
After using this rule, there were no more returns from WAN1 to my wireguard connection, so progress.
The connection tracking alternated (never at the same time) between Cd now and SACd and they would appear then disappear..........
............
............
Why do I think there is a BTH bug involved?
Because no keep alive is set on this Peer ( server for handshake ) and thus WHY is the wireguard module contacting or using WAN1 despite our mangle?
Why is it ACTIVELY trying to reach the wireguard peer ( client for handshake )?
The only answers that make sense are
a. persistent keep alive setting ( not the case )
b. the wireguard is attempting to send some payload back to the peer ( maybe the case? ).
c. BTH bug where the Server Peer continually attempt to re-establish or connect to client peer
In both cases B, C the wireguard is trying to connect to the last passed peer address./port which would be the public IP (my public IP) of the Peer CLient but it uses the default route of the ROUTER, in this case WAN1 to do so. In the case of the BTH traffic, this is not a response to the peer client its the wireguard attempting to request or update peer IP information.........
Regardless, the wireguard module is ignoring the destination address used to handshake and simply going out primary routing WAN, as its not seemingly a response but originated traffic.
Why the dst-nat rule kinda works is that its doing some magic!
We make any responses from the local interface appear as if they were responses to the remote incoming traffic.
and thus they will get assigned connection-mark as well and then get routed out WAN2.
++++++++++++++++++++++++++++++++++
the bug can be described as follows:
in terms that even if there is no keepalive at either end so there is complete silence until the initiating peer sends a first ever transport packet provoked by a payload one, the responding peer sends its response from an address chosen by routing rather than from the one to which the initial packet has arrived
+++++++++++++++++++++++++++++++++
Request others to attempt to duplicate this WEIRD, if not buggy functionality.
Want to be sure I am not totally bonkers, before going to MT.........